README.md

@@ -15,9 +15,10 @@ This repository aims to handle most of the Unitoo basic/ standard configuration
 
 The examples for `Dockerfile.example` and `docker-compose.yml.example` are useful if you need a basic container to test your playbook with different systems (like Centos/ Ubuntu). Copy them and modify as needed :)
 
-## Global variables
+## Global tags
 
-- **update_only**: used in combination with some tags to skip installation phase o not needed and trigger the update phase only (for configurations as example)
+- **global.update_only**: skip installation/ first setup phase and trigger the update phase only (for configurations as example); each role needs to implement this.
+- **global.uninstall**: activate the uninstall phase for specified tags and targets
 
 ## Authors & contributors
 

handbook.yml

@@ -1,21 +1,23 @@
 ---
 
-- name: "Setup a GNU/Linux target with standards or defined tags"
+- name: "Unitoo Handbook"
   hosts: "{{ target if target is defined else 'planets' }}"
 
+  tags: always
   roles:
     # --- Hardening ---
     # Basic rules or good practises to apply
 
     - { role: hardening-basic, tags: [hardening, ips, ids] }
     - { role: iptables-basic, tags: [firewall, ips, ids] }
-    - { role: fail2ban-basic, tags: [fail2ban, ips, ids] }
-    - { role: auditd, tags: [auditd] }
+    - { role: fail2ban-basic, tags: [hardening, fail2ban, ips, ids] }
+    - { role: auditd, tags: [hardening, auditd] }
     - { role: iptables-webserver, tags: [firewall, webserver] }
     - { role: iptables-kdeconnect, tags: [firewall] }
 
     # --- Sysadmin ---
     - { role: sysadmin-tools, tags: [sysadmin] }
+    - { role: wakeonlan, tags: [wol] }
 
     # --- Services ---
     # Role relative to services, applications and so on

roles/auditd/meta/main.yml

@@ -39,7 +39,9 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - hardening
+    - auditd
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/auditd/tasks/main.yml

@@ -1,8 +1,12 @@
 ---
 # tasks file for auditd
 
-- name: Install and setup rules Auditd if enabled
-  when: 'auditd_enabled is true'
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ auditd_enabled }}; auditd role"
+
+- when:
+    - 'auditd_enabled is true'
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Install auditd
       ansible.builtin.package:

roles/dns-filter/meta/main.yml

@@ -39,7 +39,8 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - dns_filter
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/dns-filter/tasks/main.yml

@@ -1,11 +1,25 @@
 ---
 # tasks file for dns-filter
 
-- name: Install selected DNS filter if enabled
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ dns_filter_enabled }}; FILTER = {{ dns_filter_selected }}; dns-filter role; setup the target as DNS server"
+
+- when:
     - "dns_filter_enabled is true"
     - "dns_filter_selected in dns_filter_list"
-  block:
-    - name: Call DNS filter role
-      ansible.builtin.include_role:
-        name: "{{ dns_filter_selected }}"
+  ansible.builtin.include_role:
+    name: "{{ dns_filter_selected }}"
+
+- name: Allow/ disallow port 53 for DNS querying
+  ansible.builtin.iptables:
+    chain: INPUT
+    state: "{{ 'present' if dns_filter_enabled is true else 'absent' }}"
+    protocol: '{{ item }}'
+    destination_port: 53
+    jump: ACCEPT
+    comment: Accept DNS connections
+  loop: [tcp,udp]
+
+- name: iptables-persistent
+  ansible.builtin.include_role:
+    name: iptables-persistent

roles/fail2ban-basic/meta/main.yml

@@ -39,7 +39,11 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - hardening
+    - fail2ban
+    - ips
+    - ids
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/fail2ban-basic/tasks/main.yml

@@ -1,8 +1,12 @@
 ---
 # tasks file for fail2ban-basic
-#
-- name: Fail2ban Configuration
-  when: fail2ban_enabled is true
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ fail2ban_enabled }}; fail2ban-basic role"
+
+- when:
+    - 'fail2ban_enabled is true'
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Install Fail2ban
       ansible.builtin.package:

roles/hardening-basic/tasks/main.yml

@@ -1,61 +1,61 @@
 ---
 # tasks file for hardening-basic
 
-- name: Basic Hardening
+- ansible.builtin.debug:
+    msg: "hardening-basic role"
+
+- name: Create directory structure
+  ansible.builtin.file:
+    path: '/etc/{{ item.path }}'
+    state: directory
+    mode: '{{ item.mode }}'
+  with_community.general.filetree: '../templates/basic/etc/'
+  when: item.state == 'directory'
+
+- name: Create and copy hardening files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '/etc/{{ item.path }}'
+  with_community.general.filetree: '../templates/basic/etc/'
+  when: item.state == 'file'
+
+- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config
+  when: 'hardening_sshd_enabled is true'
   block:
     - name: Create directory structure
       ansible.builtin.file:
         path: '/etc/{{ item.path }}'
         state: directory
         mode: '{{ item.mode }}'
-      with_community.general.filetree: '../templates/basic/etc/'
+      with_community.general.filetree: '../templates/ssh/etc/'
       when: item.state == 'directory'
 
     - name: Create and copy hardening files
       ansible.builtin.template:
         src: '{{ item.src }}'
         dest: '/etc/{{ item.path }}'
-      with_community.general.filetree: '../templates/basic/etc/'
+      with_community.general.filetree: '../templates/ssh/etc/'
       when: item.state == 'file'
 
-    - name: Harden SSH Config
-      when: 'hardening_sshd_enabled is true'
-      block:
-        - name: Create directory structure
-          ansible.builtin.file:
-            path: '/etc/{{ item.path }}'
-            state: directory
-            mode: '{{ item.mode }}'
-          with_community.general.filetree: '../templates/ssh/etc/'
-          when: item.state == 'directory'
+    - name: Give 1700 permissions to .ssh folder
+      ansible.builtin.file:
+        path: /root/.ssh
+        owner: root
+        group: root
+        mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
 
-        - name: Create and copy hardening files
-          ansible.builtin.template:
-            src: '{{ item.src }}'
-            dest: '/etc/{{ item.path }}'
-          with_community.general.filetree: '../templates/ssh/etc/'
-          when: item.state == 'file'
+    - name: Give 1600 permissions to .ssh/authorized_keys file
+      ansible.builtin.file:
+        path: /root/.ssh/authorized_keys
+        owner: root
+        group: root
+        mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
 
-        - name: Give 1700 permissions to .ssh folder
-          ansible.builtin.file:
-            path: /root/.ssh
-            owner: root
-            group: root
-            mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
+    - name: Restart sshd
+      when: "is_docker is not true"
+      ansible.builtin.systemd:
+        state: restarted
+        name: sshd
 
-        - name: Give 1600 permissions to .ssh/authorized_keys file
-          ansible.builtin.file:
-            path: /root/.ssh/authorized_keys
-            owner: root
-            group: root
-            mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
-
-        - name: Restart sshd
-          when: "is_docker is not true"
-          ansible.builtin.systemd:
-            state: restarted
-            name: sshd
-
-    - name: Harden Service Manager (like Systemd)
-      block:
-        - include_tasks: "harden_{{ ansible_service_mgr }}.yml"
+- name: Harden Service Manager (like Systemd)
+  include_tasks: "harden_{{ ansible_service_mgr }}.yml"

roles/ipfs/tasks/main.yml

@@ -1,12 +1,16 @@
 ---
 # tasks file for ipfs
 
-- name: Install IPFS if enabled
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ ipfs_enabled }}; ipfs role; setup the target as IPFS node"
+
+- when:
     - 'ipfs_enabled is true'
   block:
     - name: Setup ipfs-update
-      when: 'ipfs_setup is true'
+      when:
+        - 'ipfs_setup is true'
+        - "'global.update_only' not in ansible_run_tags"
       block:
         - name: Create ipfs group
           group:
@@ -72,6 +76,6 @@
 
         - include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
 
-    - name: Setup firewall
-      ansible.builtin.include_role:
-        name: iptables-ipfs
+- name: Setup IPFS firewall
+  ansible.builtin.include_role:
+    name: iptables-ipfs

roles/iptables-basic/tasks/main.yml

@@ -1,14 +1,16 @@
 ---
 # tasks file for firewall
 
-- name: Setup iptables to standard configuration
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration"
+
+- when:
     - "is_docker is not true"
     - "iptables_basic_enabled is true"
   block:
     - name: Reset configuration if requested
       when:
-        - "iptables_basic_reset_enabled is true"
+        - "'global.uninstall' in ansible_run_tags"
       block:
         - name: Open Firewall just for a moment to flush iptables rules
           ansible.builtin.iptables:

roles/iptables-ipfs/tasks/main.yml

@@ -1,14 +1,17 @@
 ---
 # tasks file for iptables-ipfs
 
-- name: setup iptables for IPFS
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ ipfs_enabled }}; iptables-ipfs role"
+
+- when:
     - "is_docker is not true"
   block:
-    - name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
+    - name: allow/ disallow established packets on TCP/UDP port 4001 (IPFS)
       ansible.builtin.iptables:
         chain: INPUT
         protocol: tcp
+        state: "{{ 'present' if ipfs_enabled is true else 'absent' }}"
         destination_port: "{{ ipfs_port }}"
         ctstate: NEW,ESTABLISHED
         jump: ACCEPT

roles/iptables-kdeconnect/tasks/main.yml

@@ -1,24 +1,27 @@
 ---
 # tasks file for iptables-kdeconnect
-- name: Setup iptables for kdeconnect
-  when: 'kdeconnect_enabled is true'
-  block:
-    - name: Allow new, established packets on TCP Kdeconnect ports
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: tcp
-        destination_port: "{{ kdeconnect_ports }}"
-        ctstate: NEW,ESTABLISHED
-        jump: ACCEPT
 
-    - name: Allow new, established packets on UDP Kdeconnect ports
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: udp
-        destination_port: "{{ kdeconnect_ports }}"
-        ctstate: NEW,ESTABLISHED
-        jump: ACCEPT
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ kdeconnect_enabled }}; iptables-kdeconnect role"
 
-    - name: iptables-persistent
-      ansible.builtin.include_role:
-        name: iptables-persistent
+- name: Allow/ disallow new, established packets on TCP Kdeconnect ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
+    destination_port: "{{ kdeconnect_ports }}"
+    ctstate: NEW,ESTABLISHED
+    jump: ACCEPT
+
+- name: Allow/ disallow new, established packets on UDP Kdeconnect ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: udp
+    state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
+    destination_port: "{{ kdeconnect_ports }}"
+    ctstate: NEW,ESTABLISHED
+    jump: ACCEPT
+
+- name: iptables-persistent
+  ansible.builtin.include_role:
+    name: iptables-persistent

roles/iptables-persistent/tasks/main.yml

@@ -1,5 +1,9 @@
-- name: Handle iptables-persistent
-  when:
+---
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ iptables_persistent_save_to_file }}; iptables-persistent role"
+
+- when:
     - "is_docker is not true"
     - "iptables_persistent_save_to_file is true"
   block:

roles/iptables-persistent/tasks/save_rules_for_Debian.yml

@@ -1,3 +1,5 @@
+---
+
 - name: Save iptables rules
   block:
     - name: Save rules with iptables-persistent v4

roles/iptables-samba/tasks/main.yml

@@ -1,26 +1,29 @@
 ---
 # tasks file for iptables-samba
-- name: Setup iptables for Samba
-  when: 'samba_enabled is true'
-  block:
-    - name: Allow new, established packets on TCP Samba ports
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: tcp
-        destination_port: "{{ item }}"
-        ctstate: NEW,ESTABLISHED
-        jump: ACCEPT
-      with_items: '{{ samba_ports }}'
 
-    - name: Allow new, established packets on UDP Samba ports
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: udp
-        destination_port: "{{ item }}"
-        ctstate: NEW,ESTABLISHED
-        jump: ACCEPT
-      with_items: '{{ samba_ports }}'
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ samba_enabled }}; iptables-samba role"
 
-    - name: iptables-persistent
-      ansible.builtin.include_role:
-        name: iptables-persistent
+- name: Allow/ disallow new, established packets on TCP Samba ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    state: "{{ 'present' if samba_enabled is true else 'absent' }}"
+    destination_port: "{{ item }}"
+    ctstate: NEW,ESTABLISHED
+    jump: ACCEPT
+  with_items: '{{ samba_ports }}'
+
+- name: Allow/ disallow new, established packets on UDP Samba ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: udp
+    state: "{{ 'present' if samba_enabled is true else 'absent' }}"
+    destination_port: "{{ item }}"
+    ctstate: NEW,ESTABLISHED
+    jump: ACCEPT
+  with_items: '{{ samba_ports }}'
+
+- name: iptables-persistent
+  ansible.builtin.include_role:
+    name: iptables-persistent

roles/iptables-webserver/tasks/main.yml

@@ -1,15 +1,17 @@
 ---
 # tasks file for iptables-webserver
 
-- name: Setup iptables for webserver 80 and 443
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ iptables_webserver_enabled }}; PORTS = {{ iptables_webserver_ports }}; iptables-webserver role"
+
+- when:
     - "is_docker is not true"
-    - "iptables_webserver_enabled is true"
   block:
     - name: Allow new, established packets on TCP ports 80/443 (Webserver)
       ansible.builtin.iptables:
         chain: INPUT
         protocol: tcp
+        state: "{{ 'present' if iptables_webserver_enabled is true else 'absent' }}"
         destination_port: "{{ item }}"
         ctstate: NEW,ESTABLISHED
         jump: ACCEPT

roles/pi-hole/README.md

@@ -11,19 +11,25 @@ Requirements
 Role Variables
 --------------
 
-- **pihole_install_custom_list** (boolean): If true will install custom list into the pi-hole database
-- **pihole_update_gravity** (boolean): If true the dns database will be updated
 - **pihole_custom_list** (array): Array of URLs that can be installed as DNS lists. **Actually doesn't clean old lists before install!**
+- **pihole_install_custom_list**: If present will install custom list into the pi-hole database
+
+Role Tags
+--------------
+
+- **global.update_only**: `pihole -up`
+- **pihole.update_gravity**: If present the dns database will be updated (`pihole updateGravity`)
 
 Dependencies
 ------------
 
-.
+- curl
+- sqlite3 required by `pihole.install_custom_list`
 
 Example Playbook
 ----------------
 
-`ansible-playbook -i inventory/example.yml pi-hole.yml --extra-vars="target=example_target"`
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags dns_filter`
 
 License
 -------

roles/pi-hole/meta/main.yml

@@ -39,7 +39,8 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - dns_filter
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/pi-hole/tasks/main.yml

@@ -1,7 +1,8 @@
 ---
 # tasks file for pi-hole
 
-- name: Pi-Hole setup
+- name: pi-hole role; setup the target as DNS server with Pi-Hole
+  when: "'global.update_only' not in ansible_run_tags"
   block:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -17,41 +18,38 @@
           ansible.builtin.debug:
             msg: "curl -sSL https://install.pi-hole.net | bash"
 
-    - name: Check if can install custom list
-      when: 'pihole_install_custom_list is true'
-      block:
-        - name: Check if pi-hole db exists
-          stat:
-            path: /etc/pihole/gravity.db
-          register: pihole_db
-
-        - name: Install sqlite3 package
-          ansible.builtin.package:
-            name: sqlite3
-
-        - name: Install more lists than default
-          when: pihole_db.stat.exists
-          ansible.builtin.shell:
-            cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
-          loop: "{{ pihole_custom_list }}"
-
-    - name: Update Gravity
-      when: 'pihole_update_gravity is true'
-      ansible.builtin.shell: pihole updateGravity
-
     - name: iptables-webserver
       ansible.builtin.include_role:
         name: iptables-webserver
 
-    - name: Setup iptables rules
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: '{{ item }}'
-        destination_port: 53
-        jump: ACCEPT
-        comment: Accept DNS connections
-      loop: [tcp,udp]
-
     - name: iptables-persistent
       ansible.builtin.include_role:
         name: iptables-persistent
+
+- name: Update pihole FTL
+  when: "'global.update_only' in ansible_run_tags"
+  ansible.builtin.shell: pihole -up
+
+- block:
+  - name: Check if pi-hole db exists
+    stat:
+      path: /etc/pihole/gravity.db
+    register: pihole_db
+
+  - name: Install sqlite3 package
+    ansible.builtin.package:
+      name: sqlite3
+
+  - name: Install more lists than default
+    when: pihole_db.stat.exists
+    ansible.builtin.shell:
+      cmd: sqlite3 /etc/pihole/gravity.db "INSERT INTO adlist (address, enabled, comment) VALUES ('{{ item }}', 1, '');"
+    loop: "{{ pihole_custom_list }}"
+  when: "pihole_install_custom_list is true"
+
+- name: Update Gravity
+  ansible.builtin.shell: pihole updateGravity
+  when: "
+    (pihole_install_custom_list is true) or
+    ('pihole.update_gravity' in ansible_run_tags)
+    "

roles/samba/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Setup target as a Samba server
+- name: samba role; setup the target as SMB server using an external role
   when: 'samba_enabled is true'
   include_role:
     name: vladgh.samba.server

roles/snort-community/tasks/main.yml

@@ -1,8 +1,10 @@
 ---
 # tasks file for snort-community
 
-- name: Snort Community Edition setup
-  when:
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ snort_community_enabled }}; Snort Community Edition setup"
+
+- when:
     - "snort_community_enabled is true"
   block:
     - name: Gather package facts

roles/unattended-upgrades/tasks/main.yml

@@ -1,9 +1,7 @@
 ---
 # tasks file for unattended-upgrades
 
-- name: Check if host need unattended-upgrades
+- name: Check if host need unattended-upgrades and install package
   when: "unattended_upgrades_enabled is true"
-  block:
-    - name: Install unattended-upgrades
-      ansible.builtin.package:
-        name: unattended-upgrades
+  ansible.builtin.package:
+    name: unattended-upgrades

roles/wakeonlan/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/wakeonlan/README.md

@@ -0,0 +1,37 @@
+wakeonlan
+=========
+
+This role install Wake on LAN support for target
+
+Requirements
+------------
+
+.
+
+Role Variables
+--------------
+
+Respond to:
+- **wakeonlan_enabled** (boolean): If true install and configure WoL
+- **wakeonlan_interface** (string): the interface to setup for WoL
+- **wakeonlan_mode** (string): the mode selected for WoL, default to `g`
+
+Dependencies
+------------
+
+- ethtool
+
+Example Playbook
+----------------
+
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=example_target" --tags wol`
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+- [Claudio Maradonna](https://social.unitoo.it/claudio)

roles/wakeonlan/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# defaults file for wakeonlan
+
+wakeonlan_enabled: false
+wakeonlan_interface: enp2s0
+wakeonlan_mode: g

roles/wakeonlan/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for wakeonlan

roles/wakeonlan/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/wakeonlan/tasks/install_Debian.yml

@@ -0,0 +1,3 @@
+- name: Install ethtool
+  ansible.builtin.package:
+    name: ethtool

roles/wakeonlan/tasks/install_systemd_service.yml

@@ -0,0 +1,19 @@
+- name: Setup systemd
+  when: 'is_docker is not true'
+  block:
+    - name: Install systemd files
+      ansible.builtin.template:
+        src: '{{ item.src }}'
+        dest: '/{{ item.path }}'
+      with_community.general.filetree: '../templates/systemd/'
+      vars:
+        interface: "{{ wakeonlan_interface }}"
+        mode: "{{ wakeonlan_mode }}"
+      when: item.state == 'file'
+
+    - name: Enable service
+      ansible.builtin.systemd:
+        name: wol-enable
+        state: started
+        enabled: true
+        daemon_reload: yes

roles/wakeonlan/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+# tasks file for wakeonlan
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ wakeonlan_enabled }}; wakeonlan role; install and configure wakeonlan on target; REQUIRES BIOS CONFIGURATION ON TARGET itself"
+
+- when:
+    - "wakeonlan_enabled is true"
+  block:
+    - name: Gather package facts
+      package_facts:
+        manager: auto
+
+    - name: Install yggdrasil if not present
+      when: "'ethtool' not in ansible_facts.packages"
+      block:
+        - include_tasks: "install_{{ ansible_os_family }}.yml"
+
+    - include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
+      ignore_errors: true

roles/wakeonlan/templates/systemd/etc/systemd/system/wol-enable.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Enable Wake-up on LAN
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ethtool -s {{ interface }} wol {{ mode }}
+
+[Install]
+WantedBy=basic.target

roles/wakeonlan/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/wakeonlan/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - wakeonlan

roles/wakeonlan/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for wakeonlan

roles/yggdrasil/README.md

@@ -12,13 +12,16 @@ Role Variables
 --------------
 
 Respond to:
-- **update_only** (boolean)
-
 - **yggdrasil_enabled** (boolean): If true install yggdrasil
 - **yggdrasil_sshd_enabled** (boolean): If true enable sshd access through Yggdrasil
-- **yggdrasil_uninstall** (boolean): if true yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
 - **yggdrasil_peers_list_url** (url): a remote file that contains the `Peers` section of yggdrasil configuration
 
+Role Tags
+--------------
+
+- **global.update_only**: If present will update only the peers
+- **global.uninstall**: If present yggdrasil will be removed from the system (requires *yggdrasil_enabled to false*)
+
 Dependencies
 ------------
 

roles/yggdrasil/defaults/main.yml

@@ -3,5 +3,4 @@
 
 yggdrasil_enabled: false
 yggdrasil_sshd_enabled: false
-yggdrasil_uninstall: false
 yggdrasil_peers_list_url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/yggdrasil/peers.conf

roles/yggdrasil/meta/main.yml

@@ -39,7 +39,8 @@ galaxy_info:
   #   - 7
   #   - 99.99
 
-  galaxy_tags: []
+  galaxy_tags:
+    - yggdrasil
     # List tags for your role here, one per line. A tag is a keyword that describes
     # and categorizes the role. Users find roles by searching for tags. Be sure to
     # remove the '[]' above, if you add tags to this list.

roles/yggdrasil/tasks/main.yml

@@ -1,7 +1,11 @@
-- name: Install and configure yggdrasil
-  when:
+---
+
+- ansible.builtin.debug:
+    msg: "ENABLED = {{ yggdrasil_enabled }}; yggdrasil-role; install and configure yggdrasil overlay network"
+
+- when:
     - "yggdrasil_enabled is true"
-    - "update_only is false"
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Gather package facts
       package_facts:
@@ -64,8 +68,9 @@
 - name: Remove yggdrasil if not enabled
   when:
     - "yggdrasil_enabled is false"
-    - "yggdrasil_uninstall is true"
-    - "update_only is false"
+    - "'yggdrasil' in ansible_run_tags"
+    - "'global.uninstall' in ansible_run_tags"
+    - "'global.update_only' not in ansible_run_tags"
   block:
     - name: Gather package facts
       package_facts:
@@ -79,5 +84,4 @@
 
 - when:
     - "yggdrasil_enabled is true"
-  block:
-    - include_tasks: "update_peers.yml"
+  include_tasks: "update_peers.yml"

roles/zabov/README.md

@@ -1,16 +1,19 @@
 zabov
 =========
 
-This role setup Zabov DNS filter
+This role setup Zabov DNS filter. More information here: https://git.keinpfusch.net/loweel/zabov
+
 
 Requirements
 ------------
 
-.
+- golang >= 1.13
 
 Role Variables
 --------------
 
+- **go_path** (string)
+
 - **zabov_git_url** (string): Git valid url of Zabov
 - **zabov_git_branch** (string): Zabov Git branch
 - **zabov_installation_path** (string): Zabov installation path

roles/zabov/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 # tasks file for zabov
 
-- name: Install zabov from sources
+- name: zabov role; install zabov from sources
   when: 'go_path is defined'
   block:
     - name: Install git if needed